The COVIDSafe app - five key considerations

9 minute read  27.04.2020 Paul Kallenbach, Sonja Read, Cathy Lyndon, Susan Kantor, Helaena Short, Alex Consiglio

The Australian government’s contact tracing app ‘COVIDSafe’ is now available for download. How can the personal data collected be used? We set out five key considerations about the COVID-19 app, looking at how privacy is protected.

Australian public health agencies have heralded the app as an important tool for continuing to control the spread of COVID-19 in Australia.

What we know about the COVID-19 app

The process of contact tracing has been a vital part of Australia's COVID-19 pandemic response, and has been widely credited as a key reason for Australia's success in containing a potentially significant outbreak. To date, contract tracing officers have employed a manual process that relies on individuals diagnosed with COVID-19 recalling where they were and knowing who they were in close contact with during the period that they were infectious. This may be both difficult and impracticable, particularly where the infected individual has fallen ill.

The COVIDSafe app is designed to increase the speed and accuracy with which persons who may be at risk of contracting COVID-19 can be contacted by State and Territory health officials. It does this by exchanging anonymised user ID codes in 'digital handshakes' when two phones with the app are within 1.5 metres for approximately 15 minutes or more. The anonymised ID codes are encrypted within the app, and are stored for 21 days before being deleted. If an individual using the app is diagnosed with COVID-19, the anonymised ID codes stored on their phone can be used by state and territory agencies to contact those people – even where the patient has no idea of their identity, for example sitting next to someone on public transport.

From a privacy law perspective, it is apparent that privacy was a key consideration in the design of the COVIDSafe app. This exemplifies the 'privacy by design' requirement that underpins the privacy obligations imposed on Commonwealth Government agencies and private sector organisations under the Privacy Act 1988 (Cth).

It is also important that employers are aware that while they can encourage staff to download the app, they are not permitted to make this a condition of employment (or a return to work when restrictions are lifted). Outlined below are five key considerations about the COVID-19 app from a privacy and employment lawyers' perspective.

1. It is voluntary and can be deleted at any time

There are two voluntary steps in using the COVID-19 app, namely:

  • Deciding whether or not to download and use the app; and
  • If the app is downloaded and the user tests positive for COVID-19, deciding whether to upload the information collected by the app during its use to the Commonwealth Department of Health's COVIDSafe data store to be used by State and Territory health officials for contact tracing.

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) regulate the collection, use and disclosure of personal information by Commonwealth agencies. Personal information can only be collected if certain requirements are met under APP 3, for instance consent to the collection is provided or the collection is required by law. The app is implemented so that a user (or their parent/guardian for users under 16 years of age) must expressly consent (by tapping their assent) to the collection and use of their information for each of these things. In the interests of transparency and public trust, the Commonwealth Government has embarked on a public campaign about how the data is collected and handled, in order to demonstrate it has met the requirements of APP 1 and 5 regarding privacy policies and notice and a notice is provided to users before they download the app from the app store.

Users can delete the COVIDSafe app from their phone at any time. This will delete all COVIDSafe app information stored on the phone. Although installation and use of the app is voluntary, many leaders, including union and business representatives, are encouraging its use to help Australia position itself to safely and progressively lift the current social distancing restrictions.

2. The app collects some personal information but it does not collect information about location

When the user installs the app on their phone, they are asked to expressly consent to the collection of the following information:

  • Mobile phone number – so the user can be contacted if contact tracing is to occur;
  • Name –for health officials to confirm who they are speaking to during contact tracing, although a pseudonym can be used in the app;
  • Age range – to identify the urgency of contact tracing by using age as a proxy for potential severity of the illness; and
  • Postcode – for contact tracing officials in the correct State or Territory to contact the user.

This information is collected by the Commonwealth Department of Health and stored in the COVIDSafe data store.

The COVIDSafe app does not collect any location (for example, GPS) information from any users. Rather, the app uses Bluetooth to identify other devices that have the app installed. It records the date and time, distance and duration of any contact with another app user on the user’s phone under anonymised and encrypted user IDs.

By comparison, South Korea has legislation which requires the publication of information relating to travel routes of infected persons. Location data from mobile phones (as well as other data such as credit card records) is used to create a publicly available map of where people diagnosed with COVID-19 have been. While the information is intended to be in a de-identified form, there have been some instances where public officials have released enough information to identify individuals, leading to cases of online harassment.

The Australian Government has also implemented ringfencing measures, so that users will not be able to access their own contact tracing data and health officials will not be permitted to disclose the identity of an infected user to someone with whom they have been in contact. These are discussed below.

3. There are significant restrictions on the use of the data

The new Biosecurity Determination, made under the Biosecurity Act 2015 (Cth) and which commenced at 11.59am on 25 April 2020, provides a number of protections in respect of the data collected by the COVIDSafe app and makes it an offence to:

  • Use the COVIDSafe app data for any purpose other than contact tracing;
  • Store the COVIDSafe app data outside Australia; and
  • Decrypt, or attempt to decrypt, any COVIDSafe app data.

The Commonwealth Government has made it clear that the COVIDSafe app will not act as a passport, or give clearance to anyone. This is confirmed in the Determination, which makes it an offence to:

  • Pressure anyone to install or continue to use the COVIDSafe app or upload app data;
  • Make it a condition of access to premises, a condition of employment or any other contracts or a condition on the giving or receipt of goods and services; or
  • Take any other adverse action against someone because they have, or haven't, installed the app.

Many employers have already encouraged their staff to download the app, including CEOs of major banks and the Australian Banking Association. Although employers and other companies can't require compulsory use of the app, as part of discharging their broader WHS obligations in managing COVID-19 risk, they can require that people do not enter their premises if they have been told to self-isolate or self-quarantine by a Health Department (whether through use of the app or otherwise). A failure to comply with the Determination has a potential penalty of five years’ imprisonment or $63,000, and further legislation is expected to be introduced in Parliament in May 2020 to support the Biosecurity Determination.

4. The contact information is collected on the user's phone, until a user diagnosed with COVID-19 consents to their data being uploaded to the national storage system

The contact data collected by the COVIDSafe app is encrypted and stored on individual phones, however users cannot access their own contact data (or anyone else’s).

Indeed, contact data is not accessible by anyone until a user is diagnosed with COVID-19 and consents to their contact data being uploaded to the national information storage system. If consent is given, state and territory health officials will contact relevant COVIDSafe app users whose details are stored within the infected person's COVIDSafe app. This process does not involve the disclosure of the identity of the person who has been diagnosed to any of their traced contacts.

If a user is not diagnosed with COVID-19 or, is diagnosed but does not consent to their contact data being uploaded to the national information storage system for contact tracing purposes, the contact data on the user's device will not leave their device.

5. The app stores information only for the period in which it is useful for contact tracing

The contact information stored in the app on each device is deleted on a 21 day rolling cycle. This allows the data to be available only for the period in which it is useful for contact tracing including the maximum 14 day incubation period plus the time taken to confirm a positive test result. Should the user delete the app, all app information, including contact data, is removed from the device. The Commonwealth Government has stated that the information stored within the national information storage system will be destroyed at the end of the pandemic.

A balancing act

The design of the COVID-19 app has sought to balance public health interests with privacy concerns, and has resulted in an app that has a number of positive features for user privacy. If sufficient numbers of Australians use the app, it will be a useful tool to assist state and territory contact tracing officers to manage outbreaks of COVID-19. At the time of writing (less than 24 hours after the app's release), more than a million Australians have downloaded and installed the app – exceeding the Department of Health's five day target. If you would like any assistance in understanding your obligations in dealing with privacy or workplace issues arising from COVID-19, please contact our team.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI1MGY0YTBjNy03NWRmLTQ3MzItYmY1MS0xNDI4MjhmNGYwNmMiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTEzNDg0MSwiZXhwIjoxNzM5MTM2MDQxLCJpYXQiOjE3MzkxMzQ4NDEsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3RoZS1jb3ZpZHNhZmUtYXBwLWZpdmUta2V5LWNvbnNpZGVyYXRpb25zIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvdGhlLWNvdmlkc2FmZS1hcHAtZml2ZS1rZXktY29uc2lkZXJhdGlvbnMifQ.8slFGEsCtd8SX32oG-ENDscprrQEekVIIa6O1CPEzD0
https://www.minterellison.com/articles/the-covidsafe-app-five-key-considerations